SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Plus San Antonio, Geneva, Tokyo, Sydney, Manama and Muscat all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************

THE REST OF THE WEEK'S NEWS

Google Releases Chrome Update (November 4, 20100

Google has pushed out an updated version of its Chrome browser to address a dozen security flaws. Eleven of the 12 vulnerabilities were reported by researchers, to whom Google paid a total of US$8,674. Chrome version 7.0.517.44 also includes an updated version of Adobe Flash Player to fix a vulnerability that is being actively exploited. Google and Adobe reached an agreement earlier this year that allows Google to bundle Flash Player with Chrome and update the plug-in through the Chrome updater. -http://www.computerworld.com/s/article/9194947/Google_quashes_12_Chrome_bugs_gives_users_early_Flash_fix?taxonomyId=17

Princeton University professor of computer sciences and public affairs Edward Felten has been appointed chief technologist for the US Federal Trade Commission (FTC). FTC Chairman Jon Leibowitz said that Felton will bring "unparalleled expertise on high-technology markets and computer security, [as well as ] invaluable input into the recommendations [the FTC ] will be making soon for online privacy." Felten will take a leave of absence during the position's year-long duration. -http://voices.washingtonpost.com/posttech/2010/11/ftc_names_internet_security_an.html-http://www.princeton.edu/main/news/archive/S28/88/79S34/[Editor's Note (Pescatore): The Federal Trade Commission continues to quietly enforce existing regulations around privacy exposures, without needing new legislation or the mythical "industry cooperation." Glad to see they are adding a CTO with a very strong software security background. ]

On Wednesday, November 3, a jury in Minnesota delivered a US $1.5 million verdict against Jammie Thomas-Rasset for illegally downloading 24 songs through Kazaa. The verdict is the third delivered in the filesharing case. The first trial in 2007 resulted in a US $220,000 judgment against Thomas-Rasset. The judge later declared a mistrial because he believed he had given the jury incorrect instructions. In June 2009, another jury delivered a US $1.92 million verdict against Thomas-Rasset; the judge reduced the amount to $54,000, saying that the judgment "must bear some relation to actual damages." In January, Thomas-Rasset rejected an offer from the Recording Industry Association of America (RIAA) to settle the case for US $25,000. -http://www.informationweek.com/news/software/server_virtualization/showArticle.jhtml?articleID=228200244-http://www.wired.com/threatlevel/2010/11/monster-file-sharing-verdict/

Google has announced a "money for bugs" program that will pay researchers up to US $3,133 for finding serious flaws in YouTube, Blogger and other Google-run websites. Until now, Google had a bug bounty program for flaws in its Chrome web browser. The new vulnerability reward program does not apply to client apps like Picasa or Google Desktop. The highest bounties will be paid for privately reported vulnerabilities that allow cross-site scripting (XSS), cross-site request forgery (XSRF) and other flaws that could be exploited to compromise user data. Less serious flaws could fetch up to US $500. -http://krebsonsecurity.com/2010/11/google-extends-security-bug-bounty-to-gmail-youtube-blogger/-http://www.theregister.co.uk/2010/11/01/google_web_bug_bounties/[Editor's Note (Skoudis): These programs do seem to help, and are relatively low cost. Good call, Google. For those puzzling over the odd number of $ 3,133... it is actually $ 3113.7, geekspeak for "Elite". ]**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/